[Openid-specs-ab] [openid/connect] Allow for more cryptographic agility? Use of client_secret as key is tied directly to HS256, HS384 and HS512 algos. (issue #663)
issues-reply at bitbucket.org
Wed Oct 10 19:50:42 UTC 2012
--- you can reply above this line ---
New issue 663: Allow for more cryptographic agility? Use of client_secret as key is tied directly to HS256, HS384 and HS512 algos.
Step 5 in http://openid.net/specs/openid-connect-messages-1_0.html#id.token.verification has "If the alg parameter of the JWT header is one of HS256, HS384, or HS512, the client_secret for the client_id contained in the aud (audience) Claim is used as the key to validate the signature."
Perhaps something like the following to replace the first part of that sentence would accomplish the same thing but more generally allow for the use of a SHA3 HMAC or whatever else might come along in the future,
"If the alg parameter of the JWT header indicates the use of a MAC based algorithm, the client_secret..."
This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.
More information about the Openid-specs-ab